#!/bin/bash

exec > /dev/null

# Protection contre le broadcast echo
 sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

# Active la protection sur les mauvais messages d'erreur 
 sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1

# Autoriser le ping (0 = accepter ; 1 = refuser)
[ "$FILTER_DROP_ICMP" == 'true' ] && {
 sysctl -w net.ipv4.icmp_echo_ignore_all=1
} || {
 sysctl -w net.ipv4.icmp_echo_ignore_all=0
}

# Surveillance de la taille de la fenetre TCP
 sysctl -w net.ipv4.tcp_window_scaling=1

# Lutte contre le deni de service (DoS)
 sysctl -w net.ipv4.tcp_fin_timeout=30
 sysctl -w net.ipv4.tcp_keepalive_time=1800

# Change default TTL value
 sysctl -w net.ipv4.ip_default_ttl=64



###############################################################################
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
 sysctl -w net.ipv4.conf.default.rp_filter=1
 sysctl -w net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
 sysctl -w net.ipv4.tcp_syncookies=1

# On active la translation d'Ip et le port forwarding (NAT) 
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Uncomment the next line to enable packet forwarding for IPv4
#sysctl -w net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
# sysctl -w net.ipv6.conf.all.forwarding=1


###############################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.

# Do not accept ICMP redirects (prevent MITM attacks)
 sysctl -w net.ipv4.conf.all.accept_redirects=0
 sysctl -w net.ipv6.conf.all.accept_redirects=0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# sysctl -w net.ipv4.conf.all.secure_redirects=1

# Do not send ICMP redirects (we are not a router)
 sysctl -w net.ipv4.conf.all.send_redirects=0

# Do not accept IP source route packets (we are not a router)
 sysctl -w net.ipv4.conf.all.accept_source_route=0
 sysctl -w net.ipv6.conf.all.accept_source_route=0

# Log Martian Packets
 sysctl -w net.ipv4.conf.all.log_martians=1

